Apple security hole - the one line of code myth
Tue 25 Feb 2014, 09:49 AM
by Ben Langhinrichs
The widespread reports of the hole in iPhones, Macs using Safari and so forth have taken to repeating the myth that the problem is the one line of code with the "goto fail" problem.
The problem was that it wasn't detected. Security errors are caught by trying to get past the security, and it seems like the painful simplicity of getting past this security should have been detected very early. Also, Apple's original statement said that this was one line in 2000 that handle SSL security. That same 2000 lines are copied many, many places, yet nobody seems to have done a code review of this critical part of code. Trust me, programmers looking through this code would not miss the double goto. It stands out like a sore thumb.
How am I so sure of all this? Why, because it has happened to me more than once with our software products. I added an extra semi-colon once that broke the CoexLinks security. See the pseudocode below to see how easy that is:
/* Code that always drops through to the "do stuff" part */
/* do stuff */
/* Code that only drops through to the "do stuff" part if the test is successful */
/* do stuff */
Another time, I accidentally removed a return that broke the Midas security. But neither got released, because even though I don't have Apple's budget for security and QA and so forth, one thing I always do is try to use license files that are invalid, or get rid of the license altogether. It is incomprehensible to me that Apple would not try like crazy to break through SSL security each time before a release. The idea that they don't try harder to break their own security on a routine basis means that there may be many more subtle problems with their security. This one should have been a no brainer, yet it is widespread in Apple's products. It is the other defects that aren't so glaringly obvious that should scare the hell out of Apple users.
Copyright © 2014 Genii Software Ltd.